一.参考文章 

(52条消息) canary介绍与绕过技巧_0pt1mus-CSDN博客_canary绕过https://blog.csdn.net/weixin_43713800/article/details/105273284

(52条消息) 【GDB】__stack_chk_fail 栈溢出问题定位_pcj_888的博客-CSDN博客___stack_chk_fail定位手段https://blog.csdn.net/pcj_888/article/details/111305718#:~:text=%E5%8E%9F%E5%9B%A0%E5%88%86%E6%9E%90%EF%BC%9A%20__stack_chk_fail%20%E8%AF%B4%E6%98%8E%20%E5%8F%91%E7%94%9F%E4%BA%86%E7%BC%93%E5%86%B2%E5%8C%BA%E6%BA%A2%E5%87%BA%EF%BC%8Ccanary%E8%A2%AB%E7%A0%B4%E5%9D%8F,%E3%80%82%20%E8%BF%99%E8%AF%B4%E6%98%8E%E4%BB%A3%E7%A0%81%E8%AE%BE%E7%BD%AEGCC%E7%BC%96%E8%AF%91%E9%80%89%E9%A1%B9%20fstack-protector%20%EF%BC%8C%E5%BC%80%E5%90%AF%E4%BA%86%20%E6%A0%88%E4%BF%9D%E6%8A%A4%E6%9C%BA%E5%88%B6canary

GDB 单步调试汇编 - 张雅宸 - 博客园 (cnblogs.com)https://www.cnblogs.com/zhangyachen/p/9227037.html

二.技术总结 

1.rbp/rsp寄存器

2.数据断点 —— watch *0x7fffffffe4a8 或者 watch var_name 监控对应内存位置被修改。

3. fs寄存器 

• FS and GS are clones of ES, the extra segment.

• FS and GS both are just additional segments, no specialty here.

• Names FS and GS come from the fact that they were created after ES: E, F, G.

• They exist only in the 386 and later x86 CPUs.

• Extra segments ES, FS, and GS can be used for both data or code.

 三.场景复现 —— 源代码编写

1.顶层main.c

extern void func1();	// defined in libcomp1.so

void main() {
    func1();
}

2.顶层CMakeLists.txt

cmake_minimum_required(VERSION 3.5)

project(test)

#set(CMAKE_BUILD_TYPE DEBUG)
 
#指定编译选项
set(CMAKE_CXX_FLAGS_DEBUG "-g -Wall")
 
# 指定头文件路径
set(INC_DIR /home/ldeng/Documents/stack_test/comp1)
 
#指定头文件目录
include_directories(${INC_DIR})
 
#生成目标文件 
add_executable(test main.c)

target_link_libraries(test 
  "/home/ldeng/Documents/stack_test/comp1/build/libcomp1.so"
  "/home/ldeng/Documents/stack_test/comp2/build/libcomp2.so"
)

3.comp1/lua.h

#ifndef __LUA_H__
#define  __LUA_H__

#define LUA_IDSIZE 60

struct lua_Debug{
    int event;
    const char *name;
    const char *namewhat;
    const char *what;
    const char *source;
    int currentline;
    int nups;
    int linedefined;
    int lastlinedefined;
    char short_src[LUA_IDSIZE];

    int i_ci;   //4字节
};

#endif

4.comp1/comp1.c

#include "lua.h"

extern void func2(struct lua_Debug *a, char *b, int c); // defined in libcomp2.so
void func1() {
    struct lua_Debug a = {0};
    char *b = 0x12345678;
    int c = 0xFFFFFFFF;
    func2(&a, b, c);
    return;
}

5.comp1/CMakeLists.txt

cmake_minimum_required(VERSION 3.5)

project(comp1)

add_library(comp1 SHARED comp1.c lua.h)

6.comp2/lua.h

#ifndef __LUA_H__
#define  __LUA_H__

#define LUA_IDSIZE 60

struct lua_Debug{
    int event;
    const char *name;
    const char *namewhat;
    const char *what;
    const char *source;
    int currentline;
    int nups;
    int linedefined;
    int lastlinedefined;
    char short_src[LUA_IDSIZE];

    int *i_ci;  //8字节
};

#endif

6.comp2/comp2.c

#include "lua.h"

void func2(struct lua_Debug *a, char *b, int c) {
    a->i_ci = 1;
    return;
}

7.comp2/CMakeLists.txt

cmake_minimum_required(VERSION 3.5)

project(comp2)

add_library(comp2 SHARED comp2.c lua.h)

四.场景复现 —— gdb调试

五.堆栈结构分析实例

1.源代码

int sum(int x,int y){
        return x+y;
}

int main(){
        int x=10;
        int y=20;
        int c=sum(x,y);

        return 0;
}

2.进入sum后的堆栈布局

 3.main函数即将结束时的堆栈